High severityNVD Advisory· Published Feb 13, 2013· Updated Apr 29, 2026
CVE-2013-0269
CVE-2013-0269
Description
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jsonRubyGems | < 1.5.5 | 1.5.5 |
jsonRubyGems | >= 1.6.0, < 1.6.8 | 1.6.8 |
jsonRubyGems | >= 1.7.0, < 1.7.7 | 1.7.7 |
Affected products
20cpe:2.3:a:rubygems:json_gem:1.5.0:*:*:*:*:*:*:*+ 19 more
- cpe:2.3:a:rubygems:json_gem:1.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:json_gem:1.7.6:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
30- secunia.com/advisories/52075nvdVendor Advisory
- weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/nvdVendor Advisory
- github.com/advisories/GHSA-x457-cw4h-hq5fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-0269ghsaADVISORY
- lists.apple.com/archives/security-announce/2013/Oct/msg00006.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2013-04/msg00034.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0686.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0701.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-1028.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-1147.htmlnvdWEB
- weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-releasedghsaWEB
- www.openwall.com/lists/oss-security/2013/02/11/7nvdWEB
- www.openwall.com/lists/oss-security/2013/02/11/8nvdWEB
- www.slackware.com/security/viewer.phpnvdWEB
- www.ubuntu.com/usn/USN-1733-1nvdWEB
- www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injectionnvdWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/82010nvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2013-0269.ymlghsaWEB
- groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428nvdWEB
- web.archive.org/web/20130228082541/http://www.securityfocus.com/bid/57899ghsaWEB
- web.archive.org/web/20160331131233/http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixedghsaWEB
- web.archive.org/web/20160808163226/https://puppet.com/security/cve/cve-2013-0269ghsaWEB
- secunia.com/advisories/52774nvd
- secunia.com/advisories/52902nvd
- spreecommerce.com/blog/multiple-security-vulnerabilities-fixednvd
- www.osvdb.org/90074nvd
- www.securityfocus.com/bid/57899nvd
- puppet.com/security/cve/cve-2013-0269nvd
News mentions
0No linked articles in our index yet.